VPC sharing allows multiple accounts to create their application resources, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB for RDS instances, in shared and centrally-managed Alibaba Cloud Virtual Private Clouds (VPCs). Shared VPCs are based on the Resource Sharing (RS) mechanism. A VPC owner can share VSwitches with accounts in the same Alibaba Cloud enterprise account organization as the owner.

Features

The owner of the VPC (resource owner) shares the non-default VSwitches with other accounts (participants). The owner and participants must belong to the same resource directory. Resource directory is a hierarchical resource relation management service. Enterprises can use this service to create a hierarchical map of relations among resources. For more information, see Overview.

By default, after a VSwitch is shared, participants can use the shared VSwitch without confirmation. Participants can create cloud resources in the shared VSwitch. Resources created by the owner and resources created by the participants in the same VPC network are interconnected by default.Shared VPCs diagram

Resource owner permissions and participant permissions

After a resource owner shares a VSwitch with a participant, the resource owner and the participant have the following permissions on the shared VSwitch and the resources in the shared VSwitch:

User group Operations supported Operations not supported
Resource owner
  • Create, view, modify, and delete resources in the shared VSwitch.
  • View the following attributes of resources created in the shared VSwitch:
    • Instance ID.
    • Private IP address.
    • Resource owner account.
Modify or delete resources created by participants in a shared VSwitch.
Participant Create, modify, or delete cloud resources, such as ECS, SLB, and ApsaraDB for RDS instances, in a shared VSwitch. View, modify, or delete the resources created by other accounts in a shared VSwitch.
When a VSwitch is in the unshared state, participants can continue using the resources created in the VSwitch. Participants can only modify or delete resources that have already been created in the VSwitch. When a VSwitch is in the unshared state, participants cannot view resources that are related to the shared VSwitch, such as VPC networks, routing tables, CIDR blocks, and network ACLs. Participants cannot create resources in an unshared VSwitch.
The resource owner and participants have the following permissions on other network resources:
Network resource Resource owner operations Participant operations
VPC All operations. View the VPC network of the VSwitches shared with the participant.
VSwitches All operations.
Note If a participant wants to delete a VSwitch, make sure that the VSwitch is in the unshared state, and the resources associated with it are all deleted, including the resources created by the participant and resource owner.
  • View shared VSwitches.
  • Create, modify, and delete cloud resources, such as ECS, ApsaraDB for RDS, and SLB instances, in a shared VSwitch.
Route tables All operations. View routing tables and route entries that are bound to the VSwitch shared with the participant.
Network ACL All operations. View network ACLs that are bound to the VSwitch shared with the participant.
CIDR block View VPC networks and CIDR blocks of all VSwitches. View CIDR blocks of VSwitches shared with the participant.
Flow logs
  • Create VPC/VSwitch flow logs. The logging policy takes effect on VSwitch ENIs of the participant.
  • Create ENI flow logs. The logging policy takes effect on VSwitch ENIs of the resource owner.
No permission.
Network Address Translation (NAT) Gateway All operations.
Note
  • The resources created by the resource owner and the resources created by participants can access the external network through a NAT gateway.
  • NAT gateways can only be bound to Elastic IP addresses of the resource owner.
No permission.
VPN Gateway All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through a VPN gateway.
No permission.
Associate with the CEN instance All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through CEN.
No permission.
VPC peer-to-peer connection All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through a VPC peer-to-peer connection.
No permission.
Tag Resource sharing does not affect the tags bound to the resources of the resource owner. After a VSwitch is shared, both the participants and resource owner can configure tags. The tags configured by participants and tags configured by the resource owner are not visible to each other, and they do not affect each other. When a VSwitch is in the unshared state, the system deletes the tags configured by the participants on the shared VSwitch.

Billing method

In a shared VPC, participants only pay for the resources that they have created, such as ECS instances, SLB instances, and ApsaraDB for RDS instances. Fees charged for gateway resources, such as NAT gateways, VPN gateways, and Internet bandwidth, are paid by the resource owner.

Limit

The quota limits on shared VPCs are listed in the following table:
Note Shared VPCs also follow the quota limits of standard VPCs. For more information, see Limits.
Item Limit Quota increase supported
The number of participants supported by a VPC 20 Not adjustable.
The number of participants supported by a VSwitch in a VPC 20 Not adjustable.
The number of VSwitches that can be shared with a participant 10 Not adjustable.
The number of IP addresses that a VPC can use Shared by the resource owner and participants. Not adjustable.
Types of VSwitches that can be shared with Non-default VSwitches. Not adjustable.
Regions that support VPC sharing
  • Singapore
  • China (Zhangjiakou-Beijing Winter Olympics)
  • China (Hangzhou)
  • China (Shanghai)
Not adjustable.
Cloud resources that can be created in a shared VSwitch
  • Elastic Compute Service (ECS) instances
  • SLB instances
  • ApsaraDB for RDS instances
Not adjustable.
Limits on security groups in a shared VPC
  • A participant cannot create resources with security groups that belong to other participants or the resource owner, including the default security group.
  • The resource owner cannot create resources with security groups that belong to participants.
Not adjustable.

Enable VPC sharing

For more information, see Enable VPC sharing.